Last Wednesday, a student tipped us off to the fact that a trove of private University files were accessible online because a security “door” had been left open. This door has since been closed, and we can share more details about exactly what went down.
In June, the University set up a new online database as part of a move towards a new customer service system. Files would be stored on this for “varying amounts of time”, according to Chief Operating Officer, Stephen Willis. Just a few months later, in August, a “technical fault” changed the access permissions of these files, meaning that now, anyone with an Otago Uni email address could get inside. This is a bit like if you stored your bank details on Google Drive and clicked “anyone with a gmail address” as your privacy setting.
Thousands of files were stored here and accessible in this way, which is how our source originally found the exploit. He was searching for his own name, for fun, and on page three or four of the results he began to see a series of bizarre and apparently random spreadsheets, all owned by the same “admin” account. Once he took a look, he recognised one spreadsheet to be a list of student names and phone numbers, and that’s when he called Critic. “I didn’t know who to go to”, he said. “The Uni didn’t have easily available info, I didn’t think OUSA would help. You guys know the procedures, so I figured you were the best port of call.” Bold call, but we'll take it.
We took a deeper look and found that the door was open far wider than initially thought. Passport details, invoices, and confidential meeting minutes were all easily accessible to anyone with an otago.ac.nz email address. Stephen told us that in their subsequent investigation, the Uni is “only focusing on about 200 documents that were potentially impacted”, rather than the entire trove.
Since an email address was needed to access the files, investigators can track which accounts opened which files - but it seems like our source and two Critic staff may have been the only outsiders to access this database. Stephen explained that “Those who have accessed as well as the pattern of their access indicates no evidence of malicious intent”, but nonetheless, “We are continuing to carefully investigate each interaction to ensure this is the case.”
This may be quite a bit of work, however. Critic Editor Fox Meyer accessed 21 files, while, somehow, in the same amount of time, News Editor Denzel Chung managed to open a whopping 193 files. That number looks a lot like the “about 200 files” formerly mentioned.
Student reaction to the news was mixed, with some saying it was “frightening” and others expressing complete ambivalence: “All of my information has been leaked online already, probably,” said one, while another post-grad told us that “It’s alarming how easy some of these systems can be to exploit… I’m honestly not surprised it happened, but I’m just glad that it sounds like nobody evil got their hands on it.” Our source reckoned that this was a “touchy subject”, and that “if the Uni wasn’t gonna tell everyone, I feel like [Critic] would’ve… I think even seeing the Uni handling it now, they didn’t make it known. They sorta weren’t willing to divulge what info was there.” Even having the error in the first place represented “a massive breach of trust, of privacy. It goes against everything [the Uni] stands for”, he later explained. For their part, the University has since sent out an all-personnel email notifying all students and staff about the situation.
One ironic twist did not go unnoticed by students, however: that in the week leading up to news about the major cybersecurity lapse, the Uni had been promoting its cybersecurity programme. Taylor*, for one, said that hearing about the breach was “really, really scary, actually”, but that the mood was somewhat lightened when she saw that the Uni had booked a full-page ad for their cybersecurity programme in the same issue of Critic that ran the original security breach article. She laughed as she said “that’s not a good look at all”, and her friend Caleb* agreed that it was “pretty ironic.” He teased us by saying that he “could go on a whole rant but… nah. Ceebs.” Fair enough.
As for the ultimate cause of the “technical fault” that left the door open: that’s still up for debate. An investigation is under way to see if it was due to operator or computer error. Fortunately, in subsequent reviews of other Uni systems, “no significant issues have been raised” by ITS and the Uni is “following due procedure and any advice given by the Office of the Privacy Commissioner… At this stage there has been no need to involve the Police.”
*Names changed